New Node.js trojan threatens gamers

June 19, 2019

Researchers at Doctor Web’s virus laboratory have studied a new type of downloader trojan. The malware is written in JavaScript and uses Node.js to launch itself within a system. The malicious software is distributed through websites with cheats for popular video games and received the name Trojan.MonsterInstall.

Yandex has submitted a rare sample of the Node.js trojan for research to Doctor Web’s virus laboratory. This malware was distributed via websites with video game cheats and has several versions and components.

When users attempt to download a cheat they download a password-protected 7zip archive to their computers. Inside there is an executable file; which upon launch, will download the requested cheats alongside other trojan’s components.

Upon launching on the victim's device, Trojan.MonsterInstall downloads and installs all the components necessary for its work, gathers information about the system its installed on, and sends it to the developer’s server. After receiving a response, it installs itself in the autorun and starts mining the TurtleCoin cryptocurrency.

Developers of this malware own several websites with game cheats, which they use to spread the malware, but they also infect other similar websites with the same trojan. According to SimilarWeb’s statistics, users browse these websites at least 127,400 times per month.

Websites owned by the malware developers:

румайнкрафт[.]рф;

clearcheats[.]ru;

mmotalks[.]com;

minecraft-chiter[.]ru;

torrent-igri[.]com;

worldcodes[.]ru;

cheatfiles[.]ru.

Moreover, some cheats from the proplaying[.]ru website turned out to be infected as well.

Get Dr.Weblings
for participating in activities on our website

1 activity = 1 Dr.Webling

Rate

To vote, log in under your account or create an account if you don't have one yet.

Repost

Like

To get your award points, go to the news page when logged in under your Doctor Web account (or create an account). Your account must be linked with one of your social network accounts in order for you to receive award points for participating in our website activities.

Tell us what you think

You will be awarded one Dr.Webling per comment. To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.